US 6212281 B1 Abstract A digital signature protocol generates a signature component using a hash of an encrypted message. The component and encrypted message form a signature pair that is forwarded to a recipient. The encryption message is used to retrieve the encryption key at the recipient and authenticate information in the message. The signature pair may be applied to a data carrier as a bar code for use in mail delivery services. By utilizing a hash of the message, a reduced message length is achieved as individual signatures are not required for each component of the message.
Claims(13) 1. A digital signature protocol for authenticating digital information transmitted by one correspondent to another over a data communication system, at least said one correspondent having long-term private key and corresponding long-term public key associated therewith, said protocol comprising the steps of said one correspondent generating a short term public key from an integer k, encrypting a message m containing said information with an encryption key derived from said short term public key, to provide a ciphertext e of said message, applying a hash function to said ciphertext to provide a hash e′, generating a signature component, s, incorporating said hash e′, said long-term public key and said integer k, forwarding a signature pair including said ciphertext e and said component s to said other correspondent, hashing said ciphertext e received by said other correspondent with said hash function to obtain a received hash e′*, using said received hash e′*, and said long-term public key to recover said encryption key from said signature component, and retrieving said message m from said ciphertext e by application of said encryption key recovered from said signature component.
2. A digital signature protocol according to claim
1 wherein said cyphertext is applied as a discernible code to a data carrier for transfer from one correspondent to said other.3. A digital signature protocol according to claim
2 wherein said code is a two-dimensional bar code.4. A digital signature protocol according to claim
1 wherein said message includes certificate to authenticate said public key corresponding to said long term private key.5. A digital signature protocol according to claim
1 wherein said signature component s has the forms=ae′+k where
a is said long term private key,
e′ is said hash of ciphertext e and
k is said integer.
6. A digital signature protocol according to claim
1 wherein said message is composed of a plurality of discrete messages, each of which is encrypted and compiled to form said ciphertext.7. A digital signature protocol according to claim
1 wherein said public key is derived from a point on an elliptic curve.8. Apparatus to generate a digital signature of a message m for transmission over a data communication system, said apparatus comprising an exponentiator to generate a public key r from a short-term private key k, an encryption module to encrypt said message m with a key derived from said public key r, and generate a ciphertext e, a hash function to operate on said ciphertext e and produce a hash e′ of said ciphertext, an arithmetic unit to generate a signature component incorporating said hash e′ and said private key k and a long-term private key, a, and a transmitter to transmit a signature pair comprising said signature component and said ciphertext over said communication system.
9. Apparatus according to claim
8 wherein said arithmetic unit generates a signature component of the forms=ae′+k where
a is a second private key,
e′ is said hash of ciphertext e, and
k is said private key.
10. Apparatus according to claim
8 including a bar code generator to produce a discernible bar code of said signature pair on a carrier.11. Apparatus to verify a digital signature received over data communication system, said apparatus including a receiver to receive a signature pair including ciphertext, e, and a signature component s incorporating a short term private key k, a long-term private key, a, and a hash e′ of ciphertext, e, of a message m, a hash function to operate on said ciphertext e and provide a hash e′*, an arithmetic unit to recover an encryption key correlated to said private key k and an encryption module to apply said encryption key to said ciphertext and recover said message m.
12. Apparatus according to claim
11 wherein said signature component is of the forms=ae′+k where
a is a long-term private key,
e′ is a hash of said ciphertext e, and
k is said private key.
13. Apparatus according to claim
11 including a bar code reader to read a bar code representing said signature pair on a carrier.Description The present invention relates to digital signature protocols. Public key encryption schemes are well known and utilize a public key and a private key that are mathematically related. The more robust are based upon the intractability of the discrete log problem in a finite group. Such public key encryption systems utilize a group element and a generator of the group. The generator is an element from which each other group element can be obtained by repeated application of the underlying group operation, ie. repeated composition of the generator. Conventionally, this is considered to be an exponentiation of the generator to an integral power and may be manifested as a k fold multiplication of the generator or a k fold addition of the generator depending upon the underlying group operation. In such a public key encryption system, an integer k is used as a private key and is maintained secret. A corresponding public key is obtained by exponentiating the generator α with the integer k to provide a public key in the form α The public and private keys may be utilized in a message exchange over a data communication system where one of the correspondents may encrypt the data with the recipient's public key α A similar technique may be utilized to verify the authenticity of a message by utilizing a digital signature. In this technique, the transmitter of the message signs the message with a private key k and a recipient can verify that the message originated from the transmitter by decrypting the message with the transmitter's pubic key α Various protocols exist for implementing a digital signature scheme and some have been widely used. In each protocol, however, it is necessary to guard against an existential attack where an impostor may substitute a new message within the transmission that leads the recipient to believe he is corresponding with a particular individual. Once such authentication is established, then the recipient may disclose information that he should not or incorrectly attribute information to the sender. To avoid an existential attack, it is usual for the message to include some redundancy, e.g. by repeating part or in some cases all of the message. This provides the function of the message that confirms authenticity. The redundancy provides a pattern within the recovered message that would be expected by the recipient. Any tampering with the message would be unlikely to produce such a pattern when decrypted and so would be readily detected. The redundancy does, however, increase the message length and therefore the bandwidth necessary to transmit the message. Generally this is undesirable and its effect is seen as a reduced message transmission rate. In some applications, however, the length of the message is critical as the signed message may be reproduced as a printed document and the length of the message then influences the size of the printed document. Such an application is in a mail environment where a bar code may be used to indicate destination, postage, rate, and the sender. To avoid fraud, the message is digitally signed by an authority and a digital bar code compiled that represents the information contained in the signed message. The bar code representation has particular physical limitations for readability and to avoid errors caused by e.g. ink bleeding. As a result, a long message produces a bar code that is unduly large, particularly where the redundancy required to avoid the existential attack is provided by repetition of the whole message. The length of the message is particularly acute with digital signatures of messages that are composed of discrete blocks, as for example in such a mail environment. In a conventional signature protocol, a short term secret key k, (the session key), is selected and used to exponentiate the generator α of the underlying group to obtain a short term public key r=α A signature component, s, is generated that contains information to enable the authenticity of the signature to be verified. The nature of the signature component depends upon the protocol implemented but a typical exemplary protocol utilizes a signature component s of the form s=ae+k mod (n) where n is the order of the group. The values of the signature pair s,e forwarded. In this protocol, the recipient calculates α The ciphertext e can then be decrypted using the key r′ to retrieve the message m. With a message composed of multiple blocks, ie. m=m It is therefore an object of the present invention to obviate or mitigate the above disadvantages. In general terms, the present invention generates an encrypted message string, e, with a key, r′, and the ciphertext is forwarded to the recipient. The encrypted message string e is also processed by a hash function and the resulting hash e′ utilized in the signature s. The recipient recovers the message by hashing the message string e and utilizes the value to recover the encryption key, r′. The message can then be recovered from the message string e. If appropriate, the redundancy may be checked to ensure the accuracy of the message but only one signature pair needs to be transferred. Since the signature is generated from the hash of the encrypted message string e, individual blocks of data cannot be altered. As a further preference, the certificate accompanying the message may be incorporated into the message as one of the blocks and signed. The certificate will have the requisite redundancy for authentication but because the hash of the string is used in the signature, the balance of the blocks do not need any redundancy. Accordingly, a shorter message can be utilized. Embodiments of the invention will now be described by way of example only, with reference to the accompanying drawings, in which FIG. 1 is a schematic representation of a data communication system; FIG. 2 is a schematic representation of a block of messages; FIG. 3 is a flow chart showing the generation of a digital signature and recovery of a message; and FIG. 4 is a schematic representation similar to FIG. 2 of an alternative embodiment. Referring therefore to FIG. 1, a data communication system Each of the correspondents As may be seen from FIG. 2, the correspondent In order to sign digitally the message m, the correspondent A bit string r′ is obtained from r by application of a predetermined algorithm, such as a modulo reduction or, where the implementation is over an elliptic curve, one coordinate of the point representing the public key and utilized as a key by the encryption unit to encrypt each of the blocks m e=e The encryption unit A signature component s is then generated by an arithmetic unit
where a is the long-term private key of the correspondent The encryption unit assembles the message and sends as the signature pair the message string e and the signature component s from a transmitter Upon receipt by the recipient
An encryption key r*′ is then derived from the recovered public key. An encryption module It will be understood that the procedure outlined in FIG. 3 may be implemented as software and performed on a general purpose computer or may be implemented in a special purpose integrated circuit. It will be noted that the hash value e′ is a hash of all the encrypted blocks that are concatenated and so it is not possible to tamper with one of the blocks without affecting the resultant hash value. However, although multiple blocks are sent and recovered, only one signature is required which reduces the overall message length. A further embodiment is shown in FIG. 4 in which like reference numerals will indicate like parameters, with the suffix ‘a’ added for clarity. In the embodiment of FIG. 4, a certificate issued by a secure authority is included as a message block m The hash e′
Upon recovery by the recipient It will be understood that the signature component s may be of any suitable form commonly used in digital signature protocols that allow the recovery of the short term public key and hence the encryption key from a hash of the encrypted message. Patent Citations
Non-Patent Citations
Referenced by
Classifications
Legal Events
Rotate |